But Mulligan’s measured testimony helps illuminate three details about the hack that pilfered credit card data and personal records from the retailer’s computer systems last November and December.
• The amount of fraud on compromised cards has been less than expected so far. Target can detect levels of fraud on its branded payment cards, which account for only 15 percent of the compromised cards in its data breach, according to Mulligan. Of the retailer’s various types of proprietary payment cards, only the Target-branded credit card has seen an uptick in fraud, he said—a 0.1 percent incremental increase.
Also testifying before the committee, Ellen Richey, Visa’s chief enterprise risk officer, said that her company expects to see fraud on 2 percent to 5 percent of payment cards compromised in major breaches. With the Target breach, the level has been much lower so far, she said.
This doesn’t mean fraud won’t increase later. Security experts have said it could take years for criminals to sell and use the card data stolen in the heist.
• The number of affected customers is likely to be no more than 98 million. Target has previously reported that the hackers absconded with payment card data for about 40 million customers and with personal information, such as phone numbers and e-mail addresses, for 70 million.
Target now says its analysis indicates these two populations of compromised customers overlap by at least 12 million people. That means the number of affected customers is at most 98 million. It also means at least 12 million of these customers lost both payment card data and personal information in the heist.
• After Bloomberg Businessweek reported in last week’s cover story that Target had failed to follow through on security alerts triggered by the hacker’s activities, the company says it is investigating whether it could have prevented damage if it had responded differently. “In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound,” said Mulligan in his testimony.
Those answers probably won’t come until Target finishes the internal review of its security systems. Mulligan provided no information Wednesday on when the review will conclude.